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(54) A method for generating pseudo-random numbers 



(57) The present invention is a nnethodforoutputting 
larger bit size pseudo-random nunnber z, that is crypto- 
graphically secure. Since larger bit size pseudo-randorn 
numbers are being outputted, larger bit size segments 
of messages may be encrypted resulting in a speedier 
encryption process than encryption processes of the pri- 
or art; In one embodiment, the present invention is a 



pseudo-random number. generator defined by a rriodu- 
lar exponential function x,- = g^*-^ mod p. The output of 
the pseudo-random number generator being a pseudo- 
random number Z/ comprising a j-^ bit size segment of 
Xf. The value of / being less than or equal to m-2c(Le., 
j<m'2c). In an embodiment of the present invention, the, 
pseudo- random number 2; includes the /"least significant 
bits of Xj excluding the least significant bit of Xj. 



CM 
< 

CO 
(D 

in 
o 

Q. 
LU 



PN GENERATOR 22 



Fie. 3 

.2: 



0 B-1I1-2B-3 ) 3 2 1 



MOST 
SIGNIFICANT 
-fill 



LEAST 
SIGNIFICANT 
BIT 



XOR 
OPERATOR 



M i-2 2 1 




j-1 j-2 



2 1 



ENCRYPTED 
KESSA^ 
SEGMENT 



KESSAGE 
SE9(ENT 



Prnted by Jouve. 75001 PARIS (FR) 



BNSDOCID: <EP 0949563A2_I_> 



EP 0 949 563 A2 

Description 

Field of the Invention 

5 [0001] The present invention relates generally to cryptography and, in particular, to pseudo-randprn number gener- 
ators. 

Background of the Related Art 

70 [0002] Pseudo-random generators are used in some forms of cryptography to provide secured communication means 
tor the transmission of messages between a transmitter and a receiver. Security is provided such that only an intended 
receiver can understand a message (e.g., voice or data) transmitted by an authorized transmitter, and only the author^ 
ized transmitter can send the message to the intended receiver. The challenge ot cryptography is to change a message 
into a form that only the intended receiver can comprehend. This must be done in a way that is both economical for 

'5 the transmitterand tor the intended receiver. At the same time, it must be very difficult (in terms of time and/or jDrocessing 
capabilities) for an unauthorized receiver (i.e.: not the intended receiver) to comprehend the message. As unauthorized 
receivers and unauthorized transmitters become more sophisticated, the need for secured communications become 
greater 

[0003] FIG. 1 depicts a functional block diagram of a transmitter 10 in the prior art having a cryptographic device for 
^0 encrypting messages. The cryptographic device comprising pseudo-random number (PN) generator 12 and XOR op- 
erator 1 4. PN generator 1 2 is defined by the following modular exponential function: 

Xf = g mod p (equation 1 ) 

2S 

wherein Xj is a value comprising m bits, p is a prime number comprising k bits, g is a generator of integer mod p and 
^<^<n. Since equation 1 is a modular exponential function, the value of m should be less than or equal to /c (i.e., m<k). 
Value Xj is generated initially by providing PN generator 12 with seed value Xq, which is a secret value comprising m 
bits and known only to the authorized transmitter and the intended receiver. Thus, value x^ is equal to g*^o mod p . Value 

is used to generate (i.e.; = g-^i mod p), which is then used to generate X3, and so on. 
[0004] PN generator 12 outputs a pseudo-random number Z/ comprising a d bit size segment of x,. The pseudo- 
random number Zf is then used to encrypt a d bit size segment of a message to be transmitted. Specifically, XOR 
operator 14 receives as inputs the message segment and the pseudo-random number The message segment is 
XOR with the pseudo-random number Z/to produce a bit size encrypted message segment. The values of d, m, and 
/cdepend. in part, on the degree of cryptographic security (or difficulty) sought to be attained, as will be described herein. 
[0005] Cryptographic security depends on two factors: (I) the degree of difficulty in solving a discrete logarithm prob- 
lem for Xj, and (2) the degree of difficulty in breaking the pseudo-random number generator given one or more pseudo- 
random numbers Zf (comprising d bits). Assuming all m bits of x,- are available, solving a discrete logarithm problem 
for X/ involves the determination of x^^ such that X/= g^>-i mod p. A discrete logarithm problem is considered compu- 
tationally hard, and therefore cryptographically secure, if 2*^ number of operations are required to solve it, wherein c 
represents a cryptographic security threshold level. The standard belief is that a discrete logarithm problem is hard if 
it takes at least 2^ number of operations to solve it (i.e., c^4). 

[0006] A discrete logarithm problem can be solved by a variety of techniques. The two most efficient techniques 
being the well-known index calculus technique and square root technique. To solve the discrete logarithm problem for 
x^ using the index calculus technique, it would require 
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ttjiogp pxlogp logp p 

operations j^^g^ = 0(2 ) (equation 2) 

number of operations, wherein a is a constant. If c=64, the hard threshold (of 2^ number of operations) is met when 
p comprises at least 51 2 bits (i.e.. A>512). Thus, the value selected for A- is dependent upon the value of c. By contrast, 
to solve the discrete logarithm problem for X; using the square root technique, it would require 

^ : operations_,.rt (equation 3) 

number of operations. If c=64. the hard threshold is met when X/ comprises at least 128 bits (i.e., m>^2&y Thus, the 
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value of m is also dependent upon the value of c. 

[0007] As mentioned earlier, solving the discrete logarithm problem for Xj assumes all m bits of x, are available. If 
only d bit size segments of X/ (i.e.. pseudo-random number z,-) are available, then the predecessor step to solving the 
discrete logarithm problem for X/ is to somehow determine all m bits of x,-. This is the aforementioned second factor of 

5 cryptographic security, which involves breaking the pseudo-random number generator given one or more pseudo- 
random number 2/. A pseudo-random number generator is considered cryptographically secure if. given one or more 
pseudo-random numbers Z/, all m bits of would be difficult to predict or determine. It is believed that if the PN generator 
outputs smaller bit size pseudo-random numbers Z/ (i.e., small segments of x,-). less data would be available to a 
cryptanalyst to use to predict any other bits of x^ The exact size of pseudo-random number Zy being outputted would 

TO depend on the degree of cryptographic security sought to be attained - that is, the value of d is dependent upon the 
value ofc. 

[0008] Blum-Micali presented a PN generator which outputted pseudo-random numbers z^ comprising only the most 
significant bit of Xp i.e., cfcl . Blum-Micali showed that the degree of difficulty in breaking this PN generator is equivalent 
to the degree of difficulty in solving a discrete logarithm problem for the modular'exponential function of X/. Thus, if 
IS solving the discrete logarithm problem for x, is hard, then breaking Blum-Micalt's PN generator (outputting pseudo- 
random numbers Z/ comprising only the most significant bit) is also hard. 

[0009] By contrast, Peralta presented a successor PN generator which outputted pseudo-random numbers z, com- 
prising log2 m most significant bits, i.e.. cfclogg m. For example^ if x^ comprises 512 bits, then the PN generator would 
output pseudo-random numbers Z/Comprising no more than the nine (I.e., log2 512) most significant bits of x^ Or If X/ 

20 comprises 1024 bits, then the PN generator would output pseudo-random numbers Zy comprising no more than the 
ten (i.e., log2 1024) most significant bits of x,-. Peralta showed that the degree of difficulty in breaking this PN generator 
is also equivalent to the degree of difficulty in solving the discrete loga rithm problem for the modular exponential function 
of Thus, if solving the discrete logarithm problem for Xy is hard, then breaking Peralta's PN generator (outputting 
pseudo-random numbers Zy comprising only log2 m most significant bits) is also hard. 

2S [0010] Although encryption processes that use the PN generators presented by Blum-Micali and/or Peralta are cryp- 
tographically secure, these PN generators output pseudo-random numbers z,- comprising no more than 1092 m bits of . 
X/. Since I092 ^ 'S a relatively small value, only small bit size segments of messages can be encrypted for every pseudo- 
random numbers z,- outputted by the PN generator. This results in a slower encryption process because more pseudo- . 
random numbers Zy have to then be outputted to encrypt the entire message. Accordingly, there exists a need for a 

30 pseudo-random number generator that outputs lager bit size pseudo-random numbers 2, and is cryptographically se- 
cure. - ' 

Summary of the Invention . - 

35 [0011] • The present invention is a method for outputting larger bit size pseudo-random number Zy that is cryptograph- ^ ^ 

ically secure. Since larger bit size pseudo-random numbers are being outputted, larger bit size segments of messages 
may be encrypted resulting in a speedier encryption process than encryption processes of the prior art. In one embod- 
iment, the present invention includes a pseudo-random number generator defined by a modular exponential function 
Xj = p^'^T mod p, wherein Xy is a value comprising m bits, p is a prime number comprising /c.bits. g is a generator of 

40 integer mod p, m<k, and 1<i<n. The values of m and k being selected to make solving the discrete logarithm for the 
modular exponential function of Xy hard. The output of the pseudo-random number generator is a pseudo-random 
number Zy comprising a/1 bit size segment of Xy. The value of / being less than or equal to m-2c (i.e., j<m~2c)\ In an 
embodiment of the present invention, the pseudo-random number Zy inciudeis the j least significant bits of Xy excluding 
the least significant bit of Xy. The output of the pseudo-random number generator is then used to encrypt an equal size 

45 segment of a message to be transmitted. 

[0012] Advantageously, the present invention uses larger bit size pseudo-random numbers Zy to encrypt messages, 
thus resulting in an encryption process that is faster than encryption processes of the prior art that use smaller bit size 
pseudo-random numbers Zy (e.g., pseudo-random numbers comprising log2 m bits). Although the use of larger bit size 
pseudo-random numbers is counter intuitive to prior art cryptographic security beliefs with respect to breaking the 

so pseudo-random number generator, the present invention utilization of larger bit size pseudo-random numbers Zy is 
cryptographically secure. Specifically, the degree of difficulty in breaking the pseudo-number generator of the present 
invention is equivalent to the degree of difficulty in solving the discrete logarithm for a short exponential function y = 
mod p, wherein y is a value comprising m bits, s is a short exponent comprising 2c bits, p is the prime number 
comprising k bits, g is the generator of integer mod p, c represents a cryptographic security (or difficulty) threshold 

ss level, and 2c«m£k. The values of cand /c being selected to make solving the discrete logarithm for the short exponential 
function of y hard. 
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Brief Description of the Drawings 

[001 3] The features, aspects, and advantages of the present invention will become belter understood with regard to 
. the following description, appended claims,. and accompanying drawings where: 

5 

FIG 1 depicts a functional block diagram of a transmitter in the prior art having a cryptographic device for encrypting 
messages; 

FIG. 2 depicts a functional block diagram of a transmitter comprising a cryptographic device for encrypting mes- 
sages used in accordance with the present invention; and 
10 FIG. 3 depicts a diagram of the pseudo-random generator of FIG. 2 generating a value X;and outputting thej least 

significant bits excluding.lhe least significant bit 

Detailed Description 

15 [001 4] FIG. 2 depicts a functional block diagram of a transmitter 20 comprising a cryptographic device tor encrypting 
messages used in accordance with the present invention. The cryptographic device comprising pseudo-random 
number (PN) generator 22 and XOR operator 24. PN generator 22 is a device for outputting pseudo-random numbers, 
such as an n stage maximal length shift register or an ASIC executing a pseudo-random number generator program. 
PN generator 22 is defined by the following modular exponential function: 

20 

Xf= g mod p (equation 4) 
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wherein Xj is a value comprising m bits, p is a prime number comprising k bits, p is a generator of integer mod p, and 
1<^n. Since equation 4 is a modular exponential function, the value of m is less than or equal to k (i.e., m<k). 
[0015] The values of m and k are chosen such that it would be difficult or hard to solve a discrete logarithm problem 
for the modular exponential function of Xj using any of the well-known techniques for solving discrete logarithm prob- 
lemS: such as the index calculus technique and the square root technique, wherein difficulty or hardness is expressed 
in terms of requiring 2*^ number of operations to sqlve the discrete logarithm problem and c represents a cryptographic 
security threshold level. Specifically, the value o^^ should be chosen such that 2<^ is approximately equal to or less than 

_ aJfogo P5ck>g2 log^ p 

0(2 ): 



and the value of m should be chosen such that 2^ is approximately equal to or less thank For example, if the 
degree of difficulty sought to be attained is at least 2^ (i.e., c^64), then k> 512 and ni^128. 

[001 6] Value Xf is generated initially by providing PN generator 22 with seed value Xq, which is a secret value com- 
prising m bits and known only to the transmitter 20 and an intended receiver. Thus, x^ is equal to mod p . Value 
is used to generate X2 (i.e.. Xg = g^i mod p), which is then used to generate X3, and so on. Although PN generator 22 
generates all m bits of X/. it only outputs pseudo-random numbers z, comprising a /-I bit size segment of x,-. The value 
of ybeing some value less than or equal Xo m-Zc. In one embodiment, the pseudo-random number 2/Comprises the j 
least significant bits of X; excluding the least significant bit of x,- (i.e., x,- segment includes the second least significant 
bit of X; through the jih least significant bit of x,). See FIG. 3; which depicts a diagram of the pseudo-random generator 
22 (defined by equation 4) generating a vialue x^and outputting the /least significant bits excluding the least significant 
bit. For illustrative purposes, the remainder of this application will be described herein with respect to a pseudo-random 
number generator that outputs pseudo-random numbers comprising the second least significant bit of Xy through 
thejth least significant bit of x/ This should not, however, be construed to limit the present invention in any manner. 
[(K)17] As described in the sectiort entitled "Proof" below, the degree of difficulty in breaking this PN generator (which 
outputs, tor example, the second throughjth least significant bits of x,) is equivalent to solving a discrete logarithm 
problem for a short exponential function 

y=g^modp (equations) 



wherein y is a value comprising m bits, s is a short exponent comprising 2c bits, p is the prime number comprising k 
bits, and g is the generator of integer mod p Since equation 5 is a short exponential function, the value of 2c is typically 
much less than the values of m and k (i.e.. 2c«m<k). 
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[001 8] If the discrete logarithm problem for the short exponential function of yis difficult to solve, then the PN generator 
of the present invention is difficult to break; The values of cand /care chosen such that it would be difficult to solve the 
• discrete logarithm problem for the short exponential function of y using any of the well-known techniques lor solving 
discrete logarithm problems, such as the index calculus technique and the square root technique. For example, suppose 

5 the degree of cryptographic security sought to be attained is at least 2^ (number of operations) to solve the discrete 
logarithm problem fory. Then the value of should be at least comprise 512 bits and m should at least comprise 128 
bits - that is. if /^512 and /77>128, then at least 2^ number of operations are required to break the pseudo-random 
number generator of equation 4 outputting thej least significant bits excluding the least significant bit. If at least 2^ 
number of operations are also required to solve the discrete logarithm problem of equation 4, then 2X2^ (i.e., 2^^) 
. 10 combined number of op'^erations are required to solve both discrete logarithm problems (forx,and y). Since PN generator 
22 is defined by a modular exponential function (of equation 4), then the value of m could be as large as the value of 
k. If the value ofk is 512 (or 1024), then the value of m could be as lai-ge as 512 (or 1024). Accordingly when k is 512 
(or 1024) and c is 64, PN generator 22 can output pseudo-random numbers Zy as large as 383 (or 895) bits, which is 
substantially larger than the bit sizes of the pseudo-random numbers being outputled by prior art PN generators. 

75 [0019] PN generator's 22 output (i.e.. pseudo-random number z) is provided as input to XOR operator 24, which is 
a device for performing XOR operations, such as an XOR gate or an ASIC executing an XOR operation. XOR operator 
24 receives PN generator 22's output and XORs it with an equal size segment of a message to produce an encrypted 
message segment comprising j-^ bits, as shown in FIG. 3. Note that XOR operator 24 may be replaced with any other 
device for combining the bits of the PN generator's output with the bits of the message. 

20 [0020] The encrypted message is subsequently transmitted by the. transmitter 20 to a receiver comprising a pseudo- 
random number generator defined by the same exponential f unction and an XOR operator. If the receiver is the intended 
receiver, the seed value Xq would be known or determinable by the receiver Thus, the intended receiver would be able 
to generate the same pseudo-random numbers z^as those generated by the transmitter. The pseudo-random numbers 
z, could then be used to decrypt the encrypted message segments, therefore allowing the intended receiver to com- 

25 prehend the transmitted message. 

Proof 

Introduction 

30 

[0021] A function f is said to be one way if it is easy to compute but hard to invert. With appropriate selection of 
parameters, the discrete exponentiation function over a finite field, g^ mod p where g is a generator of the cyclic group 
of non zero elements in the finite field, is believed to be a one way function. The intractability of Its inverse, the discrete 
logarithm problem, is the basis of various encryption, signature and key agreement schemes. Apart from finite fields, 

35 other finite groups have been considered in the context of discrete exponentiation. One such example is the group of 
points on an elliptic curve over a finite field. Koblitz and Miller (independently) [Ko], [Mil], considered the group law on 
an elliptic curve to define a public key encryption scheme suggesting that elliptic curve addition is also a one way 
function. Another number theoretic problem that is considered to be hard is the problem of factoring integers. Examples 
of functions relying on factoring which are believed to be one way are the RSA and Rabin functbns. Closely related 

40 to factoring is the problem of deciding quadratic residuosity modulo a corriposite integer 

[0022] A concept which is intimately connected to one way functions is the notion of hard bits. Based on. one way 
functions, Blum & Micali were the first to introduce the concept of hard bits. Informally, a hard bit B(.) for a one way 
function f(.) is a bit which is as hard to compute as it is to invert f . Blum and Micali showed that the most significant bit 
is a hard bit for the discrete logarithm problem over a finite field. To be precise, their notion of most significant bit 

45 corresponds to the Boolean predicate which is one if the index of the exponent is greater than (p-1 )/2 and zero otherwise. 
They defined and proved this hard bit and successfully used it to show the importance of hard bits in secure pseudo 
random bit generation. Soon after, the hard bits of RSA & Rabin functions were also discovered by Ben-Or-et al [BCS] 
which led to a new secure pseudo random bit generator. In 1986, Blum, Blum and Shub [BBS] used the quadratic 
residue problem over a composite integer to design yet another secure pseudo random bit generator. Their work was 

50 based on the security of the quadratic residue problem which was investigated by Goldwasser and Micali (GM84]. 
Later Goldreich and Levin [GL] proved that all one way functions have a hard bit. More generally they were able to 
show that for any one way function a logarithmic number of one bit hard predicates exist. This in particular proves the 
existence of at least a logarithmic number of secure pseudo random bit generators attached to a given one way function. 
The use of pseudo random bits in cryptography relates to one time pad style encryption and bit commitment schemes, 

55 to name a few. 

[0023] All the above generators based on one bit predicates suffer from the same problem, namely they are too slow 
All of them output one bit per modular exponentiation. The concept of simultaneous hardness is the first step in speeding 
things up. Intuitively, the notion of simultaneous hardness applied to a group of bits associated to a one way function 
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f states that it is computationally as hard as the Inverse of the one way function to succeed in computing any information 
whatsoever about the given group of bits given only f(x). Using this notion one can extract collections of bits per oper- 
ation and hence the speed up. Long and Widgerson [LW] were the first to show that log log p bits of the discrete log 
modulo a prime number p are simultaneously hard. On the other hand the works of VSazirani and Vazirani [VV] and 
Alexi-et al [ACGS] address the notion of simultaneous hardness of RSA and Rabin bits. Later Kaliski showed individual 
hardness of bits (in the Blum Micali sense) of the elliptic curve group addition problem using a novel oracle proof 
technique applicable to any finite Abeiian group. His methods extend to show simultaneous hardness (stated but not 
proved in the paper) of log n bits where n is the order of the group. [Ka]. More recently, Hastad. Schrift and Shamir 
[HSS], have designed a much more efficient generator which produces n/2 bits per iteration where n is the number of 
bits of the modulus. The one way function they have considered is the discrete exponentiation function modulo a 
composite integer (to be precise a Blum integer). Once again the method of generation relies on the proof that n/2 bits 
of every iteration are simultaneously hard. The use of a composite modulus allows them to relate individual and simul- 
taneous hardness of bits to factoring the modulus. In all these works the common strings are the results of Yao contained 
in his seminal work [Y] which laid the foundations to a complexity theoretic approach to cryptography which paved the 
way for a quantification of security in terms of known hard problems. 

[0024] In this paper we construct a very efficient cryptographic pseudo random bit generator attached to modular 
exponentiation in a finite field We show that n-0(log n)+ bits of every iteration are simultaneously secure where 0(log 
n)+ Is equal to the smallest non polynomial quantity in log n. Hence each iteration produces more bits than any other 
method discovered so far. The novelty in this work is to relate the security of the random bit generation to the problem 
of solving the discrete logarithm with short exponents. The motivation for this technique is derived from the above 
mentioned work of Hastad-et al where although they are using a modular exponential function modulo a composite, 
the security of the system is related to factoring the underlying modulus, in a similar but not so obvious sense, we use 
exponential in a finite field for the generation but relate the security to the strength of the discrete log problem (over 
the same prime modulus) but with short exponents. In this paper an oracle for the i-th bit gives the value of i-th bit when 
the binary representation is used for the argument This is a different representation of the i-th bit than that used by 
Blum-fy/Iicali and Long- Widgerson. Also, our representation is the same as the representation that Hastad-et al have 
considered. The paper is organized as follows: In section 2 we discuss the discrete log problem and in particular the 
short exponent discrete log problem. Details of the oracles and hardness of bits are formalized in this section. In section 
3 we show that the trailing n-0(log n)+ bits are individually hard with respect to the discrete logarithm problem with 
short exponents. In section 4 we prove simultaneous hardness of n-0(log n)+ bits. Once again this is with respect to 
the discrete log with short exponents problem. In section 5 we discuss the design of the system and provide the proof 
of security and conclude in section 6. In the appendix, we discuss some extensions of this work to include other Abeiian 
groups and possible ways to improve the efficiency of the pseudo random generator. 

35 The Discrete Logarithm Problem 

[0025] We first define the discrete logarithm problem. Let p be a prime and g a generator for (2/(p))*, the.multiplicative 
cyclic group of nonzero elements in the finite field of order p. Then for 1 <= x <= (p-1 ) the function g^ mod p defines a 
permutation. 

40 

Problem 1 

[0026] The discrete logarithm problem is to find x given y in (Z/(p))* such that g^ mod p = y. Let n = log p be the length 
of p in binary, then mod p is computable in Poly (n) time. However, there is no known deterministic or randomized 

45 algorithm which can compute the discrete logarithm in Poly (n) number of steps. The best algorithm to compute the 
discrete logarithm in a finite field of order p, is the index calculus method. Even this is not feasible if p is appropriately 
large (e.g. 1024 bits) since the complexity is sub-exponential and not polynomial in n. On the other hand for primes 
such that (p-1 ) consists of only small factors, there are very fast algorithms whose complexity is equal to the complexity 
of the discrete log in a field whose cardinality is equal to its largest prime factor This algorithm is due to Pohlig and 

so Hellman[PH]. 

Discrete Logarithm with Short Exponents 

[0027] For efficiency purposes the exponent x is sometimes restricted to c bits (c=1 28 or 160 bits) since this requires 
55 fewer multiplication. There are square root time algorithms to find x in square root of c steps, due to Shanks [Sh] and 
Pollar [Po]. Thus c should be at least 1 28 bits to provide 64 bits of security. By this we mean an attacker should perform 
at least 2^^ number of operations in order to crack the discrete logarithm using these algorithms. At the moment, there 
is no faster way to discover the discrete logarithm even with x so restricted. 
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[0028] We will also restrict x. in particular, we will restrict it to be slightly greater than 0(tog n) bits, but not to save 
on multiplication. The exact size of the exponent will be denoted 0(log n)+, where the superscript + indicates that it is 
greater than any polynomial in log n. Hence even with the square root attack one needs greater than 2P^^^ steps or 
greater than a polynomial in n number of steps. 
5 [0029] The hard problem we consider in this paper is the inverse of this special case of the discrete exponentiation 
function. To be precise, we consider the case of modular exponentiation in a finite field of order p (a prime number) 
with short exponents. The inverse of this problem is the discrete logarithm with short exponents (DLSE). In other words: 

Problem 2 

.70 

[0030] Let p be a large bit prime which has at least one large prime factor. Let x be an integer which is significantly 
smaller compared to p. Let g be a generator of the cyclic group of nonzero elements in the finite field of integers modulo 
the chosen prime p. Given g and g''=y, find x. 

[0031] The DLSE problem has been scrutinized and a summary of the results are presented in [OW], where they 
IS study this problem in the context of the Diffie-Hellman key agreement scheme. The use of short exponents in the Diffle- 
Hellman protocol is to speed up the process of exponentiation. Typically the cost of computing g^ is linearly related to 
the bit length of x^ hence real-time computing costs have motivated the use of low order exponents. Care is necessary 
to ensure that such optirhizatbns do not lead to security weaknesses. The above mentioned paper [OW], presents a 
set of attacks and methods to rectify the situation. In particular their conclusions suggest the use of safe primes. 
20 [0032] Another example of the use of shorter exponents is in the generation of digital signatures. The digital signature 
standard (DSS) published by.the NISt [DSS] is based on the discrete logarithm problem. It is a modification of the 
EIGamal signature scheme [EG). The EIGamal scheme usually leads to a signature having 2n bits, where n is the 
number of bits of p (the modulus). For potential applications a shorter signature is desirable. DSS modifies the EIGamal 
scheme so that a 160 bit message is signed using a 320 bit signature but computations are all done modulo a 512 bit 
25 prime. The methodology involves the restrictions of all computations to a subgroup of size 2^^^. The assumed security 
of the scheme is based on two different but very related problems. First of these is the discrete log in the entire group 
which uses a 512 bit modulus, where the index calculus algorithm applies. The second is the discrete log problem in 
the subgroup of the cyclic group of nonzero elements in the finite field. Here Shanks's square root algorithm reduces 
the complexity to 0(2^0) since the exponent is only 160 bits. 

■30 

Hardness of Bits 

[0033] As indicated in the introduction, the notion of hard bits is very characteristic of every one way function. In 
particular hardness of bits with respect to the discrete logarithm has been. extensively studied. In this paper we define 
35 a mild variation of hard bits. / 

Definition 1 

[0034] Lett and f be one way functions, where R_f isthe range off. Let B: RJ to {0,1 } be a Boolean predicate. Given 
40 f (x) for some x, the predicate B(x) is said to be f -hard if computing B(x) is as hard as inverting f. 

[0035] Normally when we discuss hard bits, f and fare the same. For example, discovering the Blum-Micaji bit is as 
hard as computing the discrete logarithm. But in this paper we allow f and V to be different. An example of this new 
phenomenon, is discrete exponentiation modulo a composite modulus. Here the discrete logarithm in the ring of integers 
modulo a composite is a hard function, and so is factoring. Here given g^ lor some fixed g and generic x, finding 
45 Individual bits of this discrete logarithm is as hard as factoring. This was proved by Hastad-et al in [HSS]. In this paper 
we consider a similar situation! We consider the one way function of discrete exponentiation, but we prove that the n- 
O(log n)"^ bits of the exponent are DLSE-simultaneously hard. The best previous result showed simultaneous hardness 
of n/2 of the bits [HSS], but our result shows simultaneous hardness for almost all the n bits. Our results are maximal 
as far as the discrete logarithm is concerned. In other words if in any Iteration we drop only 0(log n) bits, then any 
so attacker can compute the seed of the generator by making a polynomial number of guesses. Hence one cannot improve 
on these results regarding number of bits produced per iteration any further. 

Binary Representation 

55 [0036] The number x can be represented in binary as + *>n-2 ^"'^ + +b^2-\^b^ where bj is either 0 or .1 . The 

i-th bit problem is to discover the value of bj of x. The i-th bit is hard if computing it is as difficult as computing the entire 
logarithm. If we had an oracle. 0*(g.p.y). which outputs the value of bj then the bit is hard if there is a Poly(n) time 
algorithm which makes Poly(n) queries to the oracle O'(g.p.Y) for various values of Y and computes the entire value 
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of X. We know the least significant bit is not hard because there is a Poly (n) time algorithm to compute it, namely by 
computing the Legendre symbol. 

[0037] An imperfect oracle. O„epsilon(p,g. Y), is usually defined as an oracle which outputs the correct bit value with 
probability greater than 1/2 + 1/Poly (n). 

Blum-Micali Representation 

[0038] In this paper we will use the binary representation when we discuss the security of the i-th bit/ however, we 
want to mention another interpretation of i-th bit. Blum-Micali introduced a particular bit predicate. B(x) and showed its 
hardness. B(x) is 0 if 0 <~ x <= p-1/2 and B(x) is 1 if p-1/2 < x <= p-1. This is sometimes referred to as the most 
significant bit of x and it is clearly different from the most significant bit of x under the binary representation. Others 
[LW] have extended the definitions to define the k most significant bits. Often the Blum-Micali representation is used 
to refer to the most significant bits, while the binary representation is used for the least significant bits. In this paper 
we will use the binary representation when referring to the i-th bit, unless specified otherwise. 

Individual Hardness of Bits 

[0039] In this section, we discuss the security of the trailing n-0(log n)+ bits, where 0(log n)-^ is as defined earlier. 
To be precise we show that except the least significant bit, all the n-0(log n)-^ lower bits are individually hard with 
respect to the DLSE problem; Based on definition 1, this amounts to proving the bits of the discrete logarithm are 
DLSE-hard. 

[0040] Let 0'(g,y,p) be an oracle which gives the i-th bit (for any i in [2.n-0(Iog n)+]. Note that i increases from right 
to left and i-1 for the least significant bit. Given this oracle we show that in polynomial number of steps we can compute 
the short exponent discrete logarithm. In addition, we prove hardness of individual bits by showing that given O" epsiion 
(9.y.P) with epsiion advantage to predict the i-th bit (for any i in the prescribed range) which runs in polynomial time, 
we can tum this into an algorithm to compute the discrete logarithm of a short exponent by making polynomial number 
of queries to this oracle. For the rest of the paper we wilt refer to lower k bits to mean lower k bits excluding the least 
significant bit, for any k. 

Theorem 

[0041] The lower n-0{log n)+ bits are dLsE - individually hard. 

[0042] Proof: According to definition 1 , it is enough to show that given 0'(g,y.p) we can compute log y for all y such 
that x=log y is a short exponent. Without loss of generality, let us assume that p-1=2q, where q is an odd integer. 

(a) Perfect Oracles - 0'(g,y,p).We are given g^ and g and we know in advance that x is small (consisting of 0(log 
n)+ bits). Now, computing the least significant bit is always easy, via the Legendre symbol. Hence we compute it 
and set it to zero. Let i=2 and suppose we have an oracle for the 2nd bit. If this is a perfect oracle then we compute 
the second bit. Once this is computed then we set it to zero and we will continue to refer to the new number as g^. 
Next we compute the square roots of g^. The roots are g>^ and gx.'2+(p-i)/2 where we refer to the former as the 
principal square root. Since the two least significant bits of g^ are zero, we know that the principal square root has 
LSB equal to zero (or equivalently Legendre symbol one). This albws us to identify the principal square root. Now 
run the oracle on the principal square root and compute the second least significant bit. This bit is really the third 
least significant bit of x. Once again, set this bit to zero and repeat the process. Clearly, in poly(n) steps we would 
have computed x one bit at a time from right to left. Now, when i>2 we square g^, (i-1) times. Then the 2nd LSB . 
is at the i-th position, and we run the oracle to compute this bit. Zero this bit and once again compute square roots. 

The principal square root corresponds to the root with LSB equal to zero. Now the (i+1 )-th of x can be computed 
by running the oracle on the principal square root. Continue this process and in k steps where k=log x. we would 
know X. 

(b) Imperfect Oracles - O'epsj,of,(g,y.p), Suppose we have an imperfect oracle which succeeds in finding the i-th bit 
in only epsiion more than fifty percent of the x in (2/(p))*. Then we can concentrate the stochastic advantage and 
turn this oracle into an oracle which answers any specific instance correctly with arbitrarily high probability. 

[0043] We divide the proof into two parts 

(i) The lower 2 times 0(log n) bits are individually hard. 

(ii) The middle n-0(\log n)+ to 2 times O(log n).bits are individually hard. 



8 



EP 0 949 563 A2 



[0044] (i) Suppose we have an imperfect oracle whose advantage is epsilon, i.e.. the oracle can give the correct 
answer on epsilon more than fifty percent of the possible inputs (and we do not know which ones). Then let r_j be a 
sequence of polynomial number of random numbers between 1 and p-1. We run the oracle on g^-'^-'. where the LSB 
of X is zero. Via the weak law of large numbers, a simple counting of the majority of Vs and O's of the oracle output 
5 (after neutralizing the effect of the random number)for the second LSB yields this bit Now compute the square roots 
and pick the principal square root as earlier. Once again repeat the. process with a fresh set of random numbers to 
discover the next bit. Clearly in poly(n) steps we would have discovered x one bit at a time from right to left. The proofs 
are omitted, and we refer to [Pe] for details. 

[0045] Suppose $i>2$. Then we square Sg-^jxjS $i-1$ times, and repeat the above process and conclude that any 

10 oracle which has an $\epsilon$ advantage will lead to a polynomial time algorithm to compute $x$. The only aspect 
that needs additional mention is the fact, when we randomize it is possible that for some $rj$ when we add them to 
the exponent we may exceed $p-1 $. We refer to this as cycling. Assuming that we pick our random numbers uniformly, 
then we argue that the probability of this cycling is bounded above by $\f rac{1 }{poly(n)}$ and hence we need to increase 
the number of queries by a certain amount corresponding to the drop in cycling. Once again the details of the proofs 

'5 are omitted and the reader is refereed to Blum-Micali [BH], for the techniques. 

[0046] (ii) The proof of this step is also similar to the second part of the proof of (i) except that one has to set the 
initial $t$ bits to zero by guessing, before we start the randomizing process. Here $t$ is again a poly($\!og n$) number 
and hence the probability of cycling is bounded above as earlier Once again the details are omitted for brevity and will 
be included in an expanded version of this paper. 

20 [0047] Suppose i>2. Then we square g* i-1 times, and repeal the above process and conclude that any oracle which 
has an epsilon advantage will lead to a polynomial time algorithm to compute x. The only aspect that needs additional 
mention is the fact, when we randomize it is possible that for some T^ when we add them to the exponent we may 
exceed p-1 . We refer to this as cycling. Assuming that we pick our random numbers uniformly, then we argue that the 
probability of this cycling is bounded above by l/poly(n) and hence we need to increase the number of queries by a 

25 certain amount corresponding to the drop in cycling. Once again the details of the proofs are omitted and the reader 
is referred to Blum-IVIicali [BH], for the techniques. 

[0048] (ii) The proof of this step is also similar to the second part of the proof of (i) except that one has to set the 
initial t bits to zero by guessing, before we start the randomizing process. Here 1 is again a poly(lo9 n) number and 
hence the probability of cycling is bounded above as earlier. Once again the details are omitted for brevity and will be 
30 included in an expanded version of this paper 

Discrete Logarithm Hides Almost n bits 

[0049] In this section we prove the simultaneous hardness of n-0(log n)-^ lower bits of the index in modular expo- 
35 nentiation. Intuitively, given a generator g of a finite field of order p, and g^ for some x then we show that gaining any 
information about the trailing n-0(log n)+ bits is hard. Here hardness is with respect to the DLSE problem. In other 
words, for any prime p given a random generator g and a random element gp* of the finite field, any information on the 
relevant bits of x can be converted into an poly(n) algorithm to solve the DLSE problem. Now, the phrase gaining any 
information is rather vague, and this is clarified by the concejDt of simultaneous security which is defined below for any 
40 generic one way function. 

Definition 2 

[0050] Let f be a one way function. A collection of k bits, B''*'^) is said to be simultaneously secure for f if B^^^) is easy 
45 to compute given x and for every Boolean predicate B an oracle which computes B(B*^<'*)) correctly with probability 
greater than Mt given only f(x) can be used to invert fin Poly(n) time. 

[0051] In this paper we will be employing a modified notion of simultaneous security relative to a possibly different 
one way function. 

50 Definition 3 

[0052] Let f and f be one way functions whose range is [0,N] A k-bit predicate B*' is said to be f-simultaneously hard 
if given f(x), for every non-trivial Boolean predicate B on k bits, an oracle which outputs B(B*^W) can be used to invert 
fin polynomial time. If B^ is a f hard predicate then we say the bits of B^tx) are f-simultaneously hard. 
55 [0053] The above definition, although precise, is not easy to apply when understanding simultaneous security. A 
more working definition is provided in definition 4, phrased in the language of the discrete logarithm problem over a 
prime modulus. 
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Definition 4 

[0054] The bits of the exponentiation function g'^ mod p at location j <= i <= k are DLSE-simultaneously hard if the 
[j,k] bits of the discrete logarithm of g>f mod p are polynomially indistinguishable from a randomly selected [i,k] bit string 
5 for random chosen (g. p. g*' mod p). In addition any polynomial distinguishability will lead to an oracle which solves the 
DLSE problem in polynomial time. 

[0055] Once again, proving polynomial indistinguishability of a group of bits as above is difficult. But the notion relative 
hardness helps alleviate this problem and in fact leads to a test of simultaneous security 

10 Definition 5 

[0056] The i^^ bit. j <= i <rr k, of the function g'* mod p is relatively hard to the right in the interval [i,k] if no polynomial 
time algorithm can. given a random admissible triplet (g. p, g^ mod p) and in addition given the k-i bits of the discrete 
logarithm of g'f to its right, computes the i the bit of the discrete logarithm of g^ with probability of success greater than 
^5 + i/poly(n) for any polynomial poly(n) where n=log p. 

[0057] Based on this definition, we have a test for simultaneous security. The statement of this test is the following 
theorem- 
Theorem 1 

20 

[0058] Definitions 4 and 5 are equivalent. 

[0059] The proof of this equivalence for non-biased bits is basically the well-known proof of the universality of the 
next bit test due to Yao [Y]. This proof technique is explained in [BH]. Now, using this theorem and the intractability of 
the DLSE problem we show that the trailing n - 0(log n)+ bits are simultaneously hard. 

25. ■ . 

Theorenn 2 

[0060] The n - 0(log n)+ trailing bits of g^ mod p are simultaneously hard, with respect to the DLSE problem. 
[0061] Proof: It is sufficient to show that every trailing bit of is relatively hard to the right in the interval I2.n-O(log 
30 n)+]. Note that, individual hardness of bits does not imply the simultaneous hardness of all bits. Followingthe definitions 
and theorem above we know that, in order to show simultaneous security we are allowed to use only a weak oracle: 
given g^ to predict the i*^ bit of x . all the i-1 trailing bits of the unknown x should also be given to the oracle. This. is a 
very hard task in general. 

[0062] Assume the theorem is false. Then, for some i in [2,n-0(log n)+] there exists an oracle which when supplied 

3S with the trailing 1-1 bits of a generic g^ succeeds in predicting the 1*^ bit of x with advantage epsilon where epsilon is 
1/poly(n). Now pick an element S=gs where s is a short exponent. We can shift s to the left by squaring S the appropriate 
number of times. Since 0 <- i < n-0(log n)-^ we can shift s by (-0(log n) bits to the left without cycling. Recall, by cycling 
we mean the exponent exceeds p-1 and hence its remainder modulo p-1 replaces the exponent. Now the 2nd LSB of 
s rests on the i^ bit and we can run the oracle repeatedly by multiplying by g^ mod p where r is a random number 

^0 between 0 and p-1. In order to make sure that the probability of cycling is low we may have to set the t=poly(log n) 
leading bits of s to zero which we can exhaustively guess and run the algorithm for each guess. At the end of the 
algorithm we have a candidate and we can see if gcandidate equals S. If it does then we stop or else repeat the algorithm 
with another guess. Since we will continue to have an epsilon' >= epsilon -1/t advantage we can deduce the bit from 
the oracle in poly(n) time. We know the 2nd LSB of s in this manner We set that bit to zero, and take the square root 

45 of the number. Of the two roots we should pick the one which is the quadratic residue because all the lower bits are 
zero to begin with and hence the square root should have a zero in the LSB. Now the next bit of s is in the position 
and we can run the oracle repeatedly to discover this bit and so on to recover all the bits of s. Note the Oracle is very 
weak unlike the case for the individual bit oracle. The oracle here will tell you the bit with epsilon advantage provided 
you also supply all the i-1 bits to the right of i. However we are able to do this because all the bits to the right of the 

50 shifted s are known to be zero, since we started with a short exponent. Now we have shown that for every i such that 
2 <= i < 0( log n) we can use this weak oracle to discover s thus we have shown the trailing bits to be simultaneously 
hard provided the .function g® mod p with s of size 0(l6g n)+ is hard to invert. 

Pseudo Random Bit Generator 

[0063] In this section we provide the details of the new pseudo random bit generator. In particular we extend the 
scheme used by Blum-Micali [BM] to extract more bits. This is the same scheme that Long-Widgerson [LW] used in 
their generator but their output consisted of log n bits per iteration. In our new scheme we produce nO(log n)+ bits per 
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iteration. Recall from section 2 that the Blum-Micali scheme used a mildly different definition of "bits". We use the same 
definition of bits as Hastad-el al. but we do not encounter the difficulties they did in defining the generation scheme 
since our exponentiation induces a permutation on {Zp}*, 

[0064] NEWGENERATOR : Pick a seed Sq from {Zp}\ Define Si^^=g^{sJ mod p. At the f^*" step (i>0) output the lower 
s n-0(log ny bits of s,-. except the least significant bit. 



Proof of Security 

[0065] Suppose A is an epsilon-distinguisher of the 1(1 is poly in n) tong output of our generator, then there is a 
10 (epsilon/1 )-distinguisher for any output at the i^*^ step. In particular there is a (epsilon/1 )-distinguisher for n-0(log n) bits 
of Sq. According to our definitions in the previous section, due to Yao [Y], we can use a distinguisher to create a weak 
oracle which will tell us the i*^^ bit of x provided we also give it the right most i-1 bits of x. 

[0066] Now we note that we can use this to discover x given g^ mod p where x is slightly larger than 0(log n). We 
repeatedly invoke the "oracle" by setting Sq = {g**}^g^• Thus we can discover the i bit in poly(n) time. 
IS [0067] Using techniques shown in theorem 3 we can discover the entire x. So if the output sequence of our generator 
is epstlon-distinguishable then in poly{n) time we can discover x of our exponentiation function. Assuming it is intractable 
to invert the function g^ mod p where x is slightly larger than O(log n) bits (i.e.. short exponent) then the output sequence 
of our generator is polynomially indistinguishable. ^ 

20 Conclusion 

[0068] We have shown that the discrete logarithm mod a prime p hides n-0(log n)+ bits by showing the simultaneous 
hardness of those bits. The hardness in this result is with respect to the discrete logarithm problem with short exponents, 
i.e., DLSE-simullaneously hard (as defined in section 2 of this paper). 

2S [0069] This allows us to extract n - 0(log n)+ bits at a time for pseudo random generation and other applications. As 
an example for n of size 1024 bits and s of size 128 bits this allows us to extract almost 900 bits per exponentiation. 
Spoken informally, we note that the security of this example is 2^ since it takes 0(2^) for the best known algorithm 
to crack a modular exponentiation with 1 28 bits. Also, if one desires more security at every step then we can decrease 
the number of bits extracted at every stage. This generator outputs the maximal number of bits from a single iteration. 

30 Extracting any more bits in any iteration leads to a prediction of bits - since we would then be dropping 0(log n) bits 
and hence in polynomial number of guesses we would know the complete exponent in every iteration. 

Bibliography 

35 [0070] 



[ACGS] WA Alexi. BA Chor, OA Goldreich and C.\ PA Schnorr, 

RSA/Rabin bits are 1/2+1 /poly (log N) secure. 

Proceedings of 25th FOCS, 449-457, ^ 984, 
40 [BCS] M.\ Ben-On B.\ Chor, A.\ Shamir, 

On the cryptographic security of single RSA bits. 

Proceedings of 15th STOC, 421 --430, 1 983. 

[BBS] LA Blum, MA Blum, and f^A Shub, 

A simple secure pseudo-random number generator. 
45 SI AM J. Computing, 15 No. 2:364-383, 1986. 

[BM] M.\ Blum, and SA Micali. 

How to generate cryptographically strong sequences of pseudo random bits. 

SM/W J. Compur/np, 13 No. 4:850-864, 1984. 

(BHJ R.\ B.\ Boppana. and R.\ Hirschfeld. 
50 Pseudorrandom generators and complexity classes. 

Advances in Computing Research, 5 (SA Micali,. Ed.), JAI Press, CT 

[DSS] UA SA Department of Commerce/fSlJ.S.T. 

Digital Signature Standard, FIPS 186, May 1994. 

[GL] 0.\ Goldreich, and L.\ A A Levin, 
55 A hard-core predicate for all one way functions. 

Proceedings of 21stSTOC, 25"32,^9&9. 

[GM] SA Goldwasser, and A.\ Micali, 

Probabilistic encryption. 



11 

BNSOOCID: <EP 0949S63A2_L> 



EP 0 949 563 A2 



Journal of Computer arid Systems Science, 28: 270-299, 1 984. 
(HSS) J.\ Hastad, AA WA Schrift, and AAShamir. 

. The discrete logarithm mcdulo a composite modulus hides $0(n)S bits. 
Journal of Computer and System Sciences, 47: 376-404, 1 993. 
s [ILL] R A Impagliazzo. LA A A Levin, and MA Luby. 

Pseudo-random generation from one-way functions, 
Proceedings of 20th STOC, 1 2-24, 1 988. 
[Ka] BA SA Kaliski, 

A pseudo-random bit generator based on elliptic logarithms, 
?o Advances in Cryptology - CRYPTO '86 (LNCS 263), 84-103. 1 987. 

[KMO] JA Kilian, SA Micali, and RA Ostrovsky, 
Minimum resource zero-knowledge proofs, 
Proceedings of 30th FOCS, 474-489, 1 989. 
[Kn] DA EA Knuth. 

75 The Art of Computer Programming (vol 2): Seminumerical Algorithms, 

Addison Wesley, 2nd edition, 1981. 

[Ko] N.\ Koblitz, 

Elliptic curve cryptosy stems, 

Mathematics of Computation, 48 :203~209, 1987. 
20 [LW] D.\ L\ Long, and A.\ Widgerson, 

The discrete log hides $0(\log n)$ bits. 

SM/W J. Computing, 1 7: 363-372. 1 988. 

[Mi] V.WIiller, 

Elliptic curves and cryptography, 
25 Advances in Cryptology - CRYPTO '85 (LNCS 216), AM -426, 1 986. 

[Na] M.\ Naor, 

Bit commitment using pseudo-randomness. 

Advances in Cryptology - CRYPTO '89 (LNCS 435), 1 28--1 36. 1 989. 
[OW] P.\ van Oorschot, M.\ Wiener. 
30 On Diffie-Hellman key agreement with short exponents, 

Advances in Cryptology - EUROCRYPT '96 (LNCS 1070), 332-343. 1 996. 
[Pe] R.\ Peralta. 

Simultaneous security of bits in the discrete log, 

Advances in Cryptology - EUROCRYPT '85 (LNCS 219), 62-72, 1 986. 
55 [PH] SA CA Pohlig. and MA EA Hellman. 

An improved algorithm for computing over $GF(p)$ and its cryptographic significance, 
IEEE Trans. IT, 24: 106-110, 1978. 
[Po] J.\ M.\ Pollard. 

Monte Carlo methods for index Comptdn (mod p). 
40 Mathematics of Computation, 32, No. 143:918-924, 1978. 

[VV] U.\ VA VSazirani. and VA V.\ Vazirani. 
Efficient and secure pseudo-random number generators, 
Proceedings of 25th FOCS, 458-463. 1 984. 
[Y] A.\C.\Yao, 

45 Theory and applications of trapdoor functions, 

Proceedings of 23rd FOCS, 80-91 . 1 982. 

Appendix 

so [0071] In this section we discuss some extensions of our results which will be addressed in an extended version of 
this paper- 
Improving Efficiency of Computations 

55 [0072] Let us focus on the mechanics of the generator. We start with a finite field, and a generator g of its multiplicative 
cyclic group. Let so be a secret seed. Then we define Sj^^ = q^{s-^ iterativety. The output of the generator are the trailing 
n-0(log n)+ bits of Sj for all i>0, where n=log p. 

[0073] Although the number of bits generated per iteration is large, each iteration involves a large exponent and this 
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could impact on the speed of the generator. Instead, we could start with p. g. and so as earlier but at each stage we 
define Sj^, = Q^i^v) where Sj, = leading 0(!og n)+ bits of Sj. This will ensure that at each stage we are using short 
exponents and hence guarantee a significant speed up. This raises some interesting questions. 

s Question 

[0074] Will this speed impact the security of the generator? 

[0075] Note that when we restrict our exponents we no longer have a permutation. Hence the simple construction 
used here is inapplicable. A possible method of settling this problem is outlined in Hastad et al in the context of discrete 
10 logarithms over composite moduli [HSS]. In particular, exploiting a certain hashing lemma proved in [ILL] they construct 
a perfect extender and the pseudo-random generation is achieved through repeated applications of the extender to a 
random seed. 

Question 

15 

[0076] Is it possible to adapt techniques from [HSS] to short exponent exponentiation in a finite field and guarantee 
a speed up of computations and security? 

Discrete Logarithms in Abetlan Groups 

20 . 

[0077] Let G be a finite Abelian group. Let g in G and let y = g^ (where x is unknown and we are using the multiplicative 
notation to denote the group operation). The discrete logarithm problem in the subgroup generated by g asks for the 
value of X given g and y. Clearly, the possible values x can take are from 0 to o(g). where o(g) denotes the order of g, 
and the subgroup generated by g is cyclic. 
25 [0078] In this context, Kaliksi [Ka] has shown that under the intractability assumption of the discrete log in the sub- 
group generated by g the individual bits of x are hard. In this paper the Blum-Micati notion of bits is employed, and the 
proof of individual hardness is based on a novel and new oracle proof technique. 

[0079] The rhain idea being, the identification of bits is based on a correlation function which automatically accom- 
modates cycling and changes in bits due to randomization. In addition, he completely avoids the computation of square 
.30 roots which is central to several of the other works on individual bit security. This paper also states that log n bits are 
simultaneously hard. Presumably, the techniques of Long-Widgerson once applied in the framework of generic Abelian 
groups yields this result. 

[0080] Now. we note that assuming the discrete logarithm problem with short exponents is also hard in the chosen 
Abelian group our results on simultaneous hardness of the trailing bits are applicable. Here one could adapt the tech- 

3S niques outlined by Kaliski in order to deduce simultaneous hardness. Once this is shown then a pseudo random gen- 
eration scheme can be outlined based on techniques developed by Hastad-et al. The main problem is to address the 
fact that the subgroup generated by g may be a proper subgroup and hence the group operation on g will not produce 
a permutation of the group to itself. The exact details of the simultaneous hardness and the subsequent scheme of 
pseudo random bit generation, will be deferred to an extended version of this paper. This result will be very useful 

40 when applied to elliptic curves over finite fields. 

Bit Commitment Schemes 

[0081] Several cryptographic schemes require the communicating individuals to commit to a certairi message without 
45 revealing any information about the contents of the message. Several single bit and multi-bit commitment schemes 
have been presented in the past. Multi-bit schemes which improve the efficiency of existing protocols are outlined in 
[KMO]. An example of a multi-bit commitment scheme based on pseudo random bit generators is Napr*s scheme [Na]. 
In [HSS], Hastad et al present a scheme which directly uses exponentiation modulo a composite integer. But all schemes 
based on pseudo-random generators depend on the efficiency of the generator. Hence the efficiency of the generator 
so presented in this paper suggests that bit commitment schemes can be speeded up. This topic will also be explored later 
[0082] Although the present invention has been described in considerable detail with reference to cryptography and 
communication, other applications and versions are possible. For example, the pseudo-random number generator may 
be used for simulations and other cryptographic applications. Therefore, the spirit and scope of the present invention 
should not be limited to the description of the embodiments contained herein. 
55 . 
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Claims 

1 . A method of generating pseudo-random numbers using a pseudo-random generator defined by a modular expo- 
nential function X/ = g^*-' mod p , wherein x,- is a value comprising m bits, p is a prime number comprising k bits, g 
is a generator of integer mod p, and ^<t<n, the method comprising the steps of: 

receiving a seed value Xq comprising m bits; and 

CHARACTERIZED BY 

outputting a pseudo-random number of the value Xy determined using the seed value Xq, the pseudo-random 
number Zj including a second least significant bit of the value x, through a yth least significant bit of the value 
X/, the valuej being no larger than f7>2c, the value c representing a cryptographic security threshold level; and 
combining the pseudo-random number Z/ with a message segment to produce an encrypted message segment. 



2. the method of claim 1 , wherein the cryptographic security threshold level c is at least 64. 

3. The method of claim 1 , wherein the value X; comprises at least 512 bits. 
20 4. The method of claim 1, wherein the value p comprises at least 512 bits. 

5. The method of claim 1 , vyherein the value X/ comprises at least 1024 bits. 

6. The method of claim 1 ; wherein the value p comprises at least 1024 bits. 



7. The method of claim 1 comprising the additional step of: 
generating the value X/. 

8. The method of claim 1. wherein the message segment comprises y-l bits. 

9. The method of claiim 1 wherein the message segment is combined with the pseudo-random number Z/ using an 
XOR binary operation. 
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(54) A method for generating pseudo-random numbers 



(57) The present invention is a method for outputting 
larger bit size pseudo-random number Z/ that is crypto- 
graphically secure. Since larger bit size pseudo-random 
numbers are being outputted, larger bit size segments 
of messages may be encrypted resulting in a speedier 
encryption process than encryption processes of the pri- 
or art. In one embodiment; the present invention is a 



pseudo-random number generator defined by a modu- 
lar exponential function x-, = gr^'-i mod p. The output of 
the pseudo-random number generator being a pseudo-. 
random number Z/ comprising ay^l bit size segment of 
Xj. The value of 7 being less than or equal to m-2c(i.e., 
j<m-2c). In an embodiment of the present invention, the 
pseudo-random number Z/includes the y least significant 
bits of Xj excluding the least significant bit of Xy. 
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